Search code examples
asp.net-coreasp.net-web-apijwtbearer-token

JWT Bearer Keeps returning 401 Status - Bearer error="invalid_token", error_description="The signature is invalid"


I implemented Jwt Bearer in my Web API, I successfully get a login token. I copy/paste this token to use it for authorization and I receive

Bearer error="invalid_token", error_description="The signature is invalid"

ValidIssuer is the WebAPI Url, deployed in Azure

ValidAudience is the Angular Front-End URL, also deployed in Azure

I spent hours looking for the problem and I don't seem to find a solution.

Even turning ValidateIssuer & -Audience to false, doesn't solve the problem. Did I miss something or do you see the error?

Startup.cs

        public void ConfigureServices(IServiceCollection services)
        {
            services.AddCors(options =>
            {
                options.AddPolicy("CorsPolicy", builder =>
                {
                    builder.AllowAnyOrigin()
                    .AllowAnyHeader()
                    .AllowAnyMethod();
                });
            });
            services.ConfigureIISIntegration();

            services.ConfigureMsSqlContext(Configuration);

            services.ConfigureRepositoryWrapper();

            services.AddAuthentication(opt => {
                opt.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                opt.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                opt.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
            })
            .AddJwtBearer(options =>
            {
                options.SaveToken = true;
                options.RequireHttpsMetadata = false;
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    ValidateAudience = true,
                    ValidIssuer = Configuration["JWT:Issuer"],
                    ValidAudience = Configuration["JWT:Audience"],
                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["JWT:Secret"]))
                };
            });

            services.AddControllers();
        }

        
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            app.UseDeveloperExceptionPage();

            app.UseHttpsRedirection();
            app.UseStaticFiles();

            app.UseCors("CorsPolicy");

            app.UseForwardedHeaders(new ForwardedHeadersOptions
            {
                ForwardedHeaders = ForwardedHeaders.All
            });

            app.UseAuthentication();
            app.UseRouting();
            app.UseAuthorization();
            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }

Solution

  • Solution to my problem, maybe small but impactfull detail

    I forgot to put Authorize-attribute on top of my Request method

    [HttpGet, Authorize]
    public IActionResult GetMaterialDetails()